Resources
Publisher data protection agreement
These data protection terms constitute the Data Protection Agreement (“DPA”) referred to in the Ozone Publisher Terms and Conditions and are incorporated into the Agreement between Ozone and the Publisher identified on the applicable Service Order. This DPA shall apply in respect of the processing of Personal Data by either Party under or in connection with the Agreement and shall survive termination of the Agreement and continue in force for the duration of any such processing.
1.1 Capitalised terms used in this DPA shall have the meanings given to them in the Agreement. All other capitalised terms used in this DPA (which are not defined in the Agreement) shall have the meanings given to them as follows:
“Controller” has the meaning given to that term in the Data Protection Laws;
- “Data Protection Laws” means (a) the EU GDPR and the UK GDPR as applicable; (b) the DPA 2018; (c) EC Directive 2002/58/EC on Privacy and Electronic Communications; (d) The Privacy and Electronic Communications (EC Directive) Regulations 2003 and (e) all local laws or regulations implementing or supplementing the foregoing legislation and all other laws concerning the processing or protection of Personal Data; and (e) all binding codes of practice and guidance issued by national regulators relating to aforementioned laws and regulations;
- “Data Subject” has the meaning given to that term in the Data Protection Laws;
- “DPA 2018” means the UK Data Protection Act 2018;
- “EEA” means the European Economic Area;
- “EU GDPR” means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
- “IAB TCF ” means the IAB Europe Transparency & Consent Framework published by the Interactive Advertising Bureau Europe as amended from time to time;
- “Joint Controller Terms” means the terms set out in Annex 1 to this DPA;
- “Ozone Privacy Notice” means Ozone’s Platform Privacy Notice which is located at https://ozoneproject.com/platform-privacy (as may be updated by Ozone from time to time);
- “Personal Data Breach” has the meaning given to it in the Data Protection Laws;
- “Personal Data” has the meaning given to that term in the Data Protection Laws;
- “Processor Terms” means the terms set out in Annex 2 to this DPA;
- “Publisher Privacy Notice” has the meaning given to it in clause 3.1(a) of this DPA;
- “UK GDPR” has the meaning given to it in the DPA 2018;
2.1 The Parties may agree Service Orders from time to time (which incorporate these terms and 2.1 Notwithstanding any other provisions of this DPA or the Agreement, each party shall:
- (a) comply with the obligations imposed on it by applicable Data Protection Laws;
- (b) provide each other with reasonable cooperation and assistance in respect of any communication issued or investigation initiated by a supervisory authority relating to the Services; and
- (c) comply with its respective obligations with respect to Security Breaches contained in the Agreement, including without limitation notifying the other party of Security Breaches without undue delay after becoming aware of the same, and in any event within 24 hours after becoming aware. For the purposes of this DPA and the Agreement, the parties acknowledge and agree that a Personal Data Breach shall constitute a Security Breach (as defined in the Agreement).
3.1 Publisher shall:
- (a) publish, on each Publisher Property, a privacy policy or notice that satisfies Publisher’s obligation to comply with its transparency obligations contained in the Data Protection Laws (“Publisher Privacy Notice(s)”);
- (b) expressly name Ozone in the Publisher Privacy Notice(s) (including where such Privacy Notice is made available as part of a consent management platform implemented in accordance with Data Protection Laws) as a party for whom, and by whom, Personal Data about the User is collected through the Publisher Properties and include in such Publisher Privacy Notice(s) clear and prominent links to the Ozone Privacy Notice (to enable Ozone to fulfil its own transparency obligations contained in the Data Protection Laws) and any opt-out mechanisms operated by Ozone, in each case as notified to Publisher by Ozone;
- (c) for and on behalf of Ozone and/or Ad Partners, obtain, and on reasonable request evidence, consent for cookies (and/or similar technologies) of Ozone and/or Ad Partners (as applicable) to be set on and accessed from devices that are used by Users when they visit each of the Publisher Properties;
- (d) assist Ozone as reasonably necessary to enable Ozone and/or an Ad Partner to demonstrate that it has a lawful basis for processing the Personal Data relating to Users of the Publisher Properties for the purposes of performing the applicable Services described in the applicable Service Order; and
- (e) on and in respect of each Publisher Property, implement appropriate technical measures (such as cookie banners and consent management platforms), and adopt the IAB TCF (and/or such other framework or policy which complies with Data Protection Laws) for the purposes of ensuring that:
- (i) Ozone and Ad Partners are able to comply with their respective obligations under the Data Protection Laws; and
- (ii) Publisher complies with its obligations under the Data Protection Laws as well as its obligations set out in this DPA.
4.1 The parties acknowledge and agree that as part of its provision of the Services, Ozone will process certain Personal Data as described in the applicable Service Order.
4.2 Ozone and Publisher acknowledge that the status of each party is a matter of fact under Data Protection Laws. Notwithstanding the foregoing, the status the parties and in particular whether, in relation each particular Services performed under each Service Order (a) the parties will act as Joint Controllers, or (b) the Publisher shall be the Controller and Ozone shall be the Processor, shall be specified in the relevant Service Order.
4.3 Where, in accordance with the relevant Service Order, in relation to particular Services:
- (a) the parties will act as Joint Controllers, then in such case the Joint Controller Terms attached at Annex 1 to this DPA shall apply; and/or
- (b) the Publisher shall be the Controller and Ozone shall be the Processor, the Processor Terms attached at Annex 2 to this DPA shall apply.
5.1 The parties acknowledge and agree that the limitations and exclusions of liability in the Agreement shall apply in respect of this DPA.
5.2 Where, in accordance with the provisions Article 82 of the EU GDPR or UK GDPR both parties are responsible for the act, or omission to act, resulting in the payment of Losses by a party, or both parties, then a party shall only be liable for that part of such Losses which is in proportion to its respective responsibility.
5.3 Each party shall indemnify the other against all Losses suffered or incurred by the indemnified party arising out of or in connection with a breach of the Data Protection Laws by the indemnifying party, its employees or agents.
5.4 The indemnified party shall give to the indemnifying party prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and, to the extent permitted by the Data Protection Laws and the applicable supervisory authority, sole authority to manage, defend and/or settle it.
6.1 This DPA and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by and construed in accordance with English law.
6.2 Each party irrevocably agrees to submit to the exclusive jurisdiction of the courts of England in relation to any claim or matter arising out of or in connection with this DPA (including non-contractual disputes or claims).
General
1.1 Where the relevant Service Order specifies that the parties will act as Joint Controllers in relation to certain Services, then in such case these Joint Controller Terms shall apply. The parties acknowledge and agree that it is their intention to act as joint Controllers in relation to the processing of the applicable Personal Data undertaken as part of the Services performed under the applicable Service Order.
1.2 Each party agrees to comply with these Joint Controller Terms and acknowledges that, except as expressly stated otherwise in this DPA or as required by applicable Data Protection Law, it is (as between the parties) solely responsible for ensuring that it meets all of its obligations under Data Protection Law.
1.3 These Joint Controller Terms determine and specify the parties’ respective responsibilities for compliance with Data Protection Laws in relation to the applicable Processing as set out below:
- (a) each party shall be responsible for ensuring it has an appropriate legal basis for its processing;
- (b) Publisher shall be responsible for providing information to Data Subjects regarding the applicable processing undertaken by the parties pursuant to the applicable Service Order, and, in accordance with Publisher’s obligations under clause 3.1 of the DPA, shall ensure that the Publisher Privacy Notice includes appropriate and sufficient information regarding the collection by and transmission to Ozone of Personal Data; and
- (c) without prejudice to Publisher’s obligations under clause 1.3(b) of this Annex, Ozone shall also make the essence of the Joint Controller arrangement between the parties available to Data Subjects by way of the Ozone Privacy Notice.
1.4 The parties shall designate a contact point for Data Subjects and make the details of such contact point available in its respective privacy notice.
Communications
If either party receives any communication from a supervisory authority which relates directly or indirectly to:
- (a) the other party’s processing of Personal Data; or
- (b) a potential failure to comply with Data Protection Laws in relation to the applicable Services, the receiving party shall, to the extent permitted by Data Protection Laws and Applicable Laws, promptly provide notice of the communication to the other party.
Handling of personal data supplied by or on behalf of publishers
Ozone shall ensure that any Personal Data supplied by or on behalf of Publisher shall:
- (a) be kept confidential in accordance with the Agreement; and
- (b) only be accessible to its staff to the extent necessary to properly perform its obligations and exercise its rights under the Agreement, who are informed of its confidential nature and the security procedures relating to it, and who are contractually bound to maintain its confidentiality.
Rights of individuals
4.1 The parties acknowledge and agree that Data Subjects may exercise their rights against either of the parties. Accordingly, each party shall have in place a process for handling:
- (a) requests that it receives from Users to exercise any of their rights to access, rectify, erase, restrict or object to processing of Personal Data, or to data portability; and
- (b) any other requests, complaints, queries or claims made by a User in relation to the processing of their Personal Data,
- (each a “Data Subject Request”) in accordance with Data Protection Laws.
4.2 If a party receives a Data Subject Request concerning Personal Data processed in connection with the Agreement, the receiving party shall respond to that request in accordance with Data Protection Laws.
4.3 If and to the extent that such a Data Subject Request refers to the other party, or where it is otherwise required to enable the other party to comply with its obligations under Data Protection Laws, the receiving party shall promptly, and in any event within seven days after it receives the request, inform the other party of the Data Subject Request and the parties shall cooperate and provide reasonable information and assistance to each other to enable the parties to comply with their respective obligations under Data Protection Laws.
International transfers
Neither party shall transfer any Personal Data to the other party where such other party is located outside of the European Economic Area (EEA) and/or United Kingdom (UK) unless adequate safeguards (including without limitation any applicable and necessary supplemental measures) are implemented in accordance with Data Protection Laws.
General
Where the relevant Service Order specifies that the Publisher shall be the Controller and Ozone shall be the Processor in relation to certain Services, then in such cases these Processor Terms shall apply, and the parties acknowledge and agree that it is their intention that the Publisher shall be the Controller and Ozone shall be the Processor in relation to the processing of the applicable Personal Data undertaken as part of the Services performed under the applicable Service Order.
Ozone obligations
2.1 Ozone shall:
- (a) Only act on the Publisher’s documented instructions unless otherwise required by Data Protection Law to which Ozone is subject, and Ozone shall immediately inform the Publisher if, in Ozone’s opinion, an instruction infringes applicable Data Protection Laws;
- (b) Ensure that Ozone’s employees, officers, agents, sub-contractors and/or authorised representatives authorised to Process the applicable Personal Data are subject to a contractual duty of confidentiality in relation to the applicable Processing;
- (c) Maintain and implement appropriate technical and organisational measures to protect the applicable Personal Data against any data breach or other form of unlawful processing, loss, or destruction (including, as appropriate, measures pursuant to Article 32 of the EU and/or UK GDPR);
- (d) Assist the Publisher by appropriate technical and organisational measures in responding to, and complying with, data subject requests;
- (e) Provide such assistance as the Publisher may reasonably require to allow it to comply with its obligations under Articles 32 to 36 (inclusive) of the EU and/or UK GDPR (and analogous obligations contained in the Data Protection Laws) in relation to the applicable Personal Data; and
- (f) Provide the Publisher with all information required to demonstrate compliance with the obligations in this Annex, and submit to annual audits and inspections of systems and processes which are relevant to the Processing of the Personal Data under this Annex, as may be conducted by it or by a third-party auditor mandated by it, provided that: (i) Ozone shall be compensated for its costs and expenses in relation to such audit, (ii) reasonable advance notice shall be given in respect of any such audit, (iii) any such audit shall only be conducted during Ozone’s normal business hours, (iv) any such audit shall be conducted to cause minimal disruption to the Ozone’s business operations, (v) no access shall be given to Ozone’s confidential information or any information relating to Ozone’s Other Publishers and/or financial data, and (vi) any third party auditor shall enter into confidentiality obligations directly with Ozone which are reasonably acceptable to Ozone.
Publishers obligations
3.1 The Publisher shall ensure that:
- (a) the supply and/or making available to Ozone of the applicable Personal Data for the purposes of Processing undertaken by Ozone as part of the applicable Services and its permitted further Processors, where such Processing is authorised by the Publisher, shall comply with the Data Protection Laws; and
- (b) the instructions given by the Publisher to Ozone comply with the Data Protection Laws.
3.2 Where, by operation of clause 2.1 of this Annex, Ozone is obliged to provide assistance to the Publisher, or to third parties at its request (including submission to an audit or inspection and/or the provision of information), such assistance shall be provided at the Publisher’s sole cost and expense, except where such assistance directly arises from Ozone’s breach of its obligations under this Annex, in which event the costs of such assistance shall be borne by Ozone.
Further processors
4.1 Notwithstanding any other provision of the Agreement, Ozone shall be entitled to appoint further Processors to Process the applicable Personal Data, subject to the following conditions:
- (a) Ozone shall notify the Publisher in writing (email sufficient) of its intention to engage such further Processors. Such notice shall give details of the identity of such further Processor and the services to be supplied by it;
- (b) The Publisher shall be deemed to have approved the engagement of the further Processor if it has not served on Ozone a notice in writing (email sufficient) objecting (acting reasonably) to such appointment within 14 days of the date of such notice.
- (c) In the event that the Publisher objects to any such appointment, Ozone and/or the Publisher shall be entitled to terminate with immediate effect the Agreement or any affected part of the Agreement.
4.2 Where Ozone engages another Processor for carrying out specific processing activities on behalf of the Publisher pursuant to this Annex, materially equivalent data protection obligations as set out in this Annex shall be imposed on that other Processor. Where that other Processor fails to fulfil its data protection obligations, Ozone shall remain fully liable to the Publisher, subject to the limitations and exclusions of liability set out in the Agreement, for the performance of that other Processor’s obligations.
4.3 Ozone shall only use Processors outside of the European Economic Area (EEA) and/or United Kingdom (UK) provided that adequate safeguards are implemented in accordance with Data Protection Laws (including without limitation any applicable and necessary supplemental measures).
8.6 Nothing in Clauses 8.4 and 8.5 in any way restricts or limits the Parties’ general obligations at law to mitigate a Loss which it may incur as a result of a matter giving rise to an Indemnified IPR Claim.